Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

ndogg writes "Michael Larabel of Phoronix was emailed a response to the reverse engineering of the Skype protocol from the VP of Skype's PR company, who said that the reverse engineering was done for the use of spam/phishing, and that it's an infringement of their IP, and that they are working to defeat it."

Perhaps if Skype's Linux client had been better maintained and offered a feature parity to the Windows and Mac OS X clients, there wouldn't be people spending time on reverse-engineering the protocol so that they could write their own client.

Or, maybe, there are just a lot of Linux users who hate proprietary software, and don't trust Skype. Skype uses a lot of anti-debugging techniques. What are they hiding?

Maybe they're not hiding anything, maybe they're just trying to protect their proprietary software. After all, they are a business just trying to make money.

They've been hiding their protocols. These are not protected by patent (which would involve publishing them, assuming they were patentable). Their implementation is probably protected by copyright, but a competing implementation is unlikely to infringe that copyright, unless it is a "slavish" copy. There does not seem to be a trademark issue in play. Conclusion: it looks like they are merely trying to protect a trade secret which has been uncovered by reverse engineering. Note that reverse engineering to uncover secret methods is entirely legitimate.

So yes, Skype is trying to preserve its revenue stream, which is secured only by secrecy of the protocols used by the proprietary Skype software. These protocols have now been made rather less secret, and apparently by legally acceptable means. So let's all say to Skype: "good luck with that".

So yes, Skype is trying to preserve its revenue stream, which is secured only by secrecy of the protocols used by the proprietary Skype software.

Not at all. Afaik, their revenue stream comes from upsell services tied to POTS interfacing and voicemail. Just because you know the client protocol does not mean you can access those services for free; they're tied to account balances that Skype maintains outside of the client connectivity.

Exactly. I pay Skype to access phone lines at a competitive rate. If another client lets me connect to their service I still need to pay them to access that service. However, if they change protocol to defeat another client, and if they do not upgrade their linux client accordingly, then they force me as a paying customer to abandon the service. Hence, Skype itself is endangering their revenue stream, not the reverse engineered client.

Their revenue stream relies on lock-in. To the unknowing masses who don't understand packet switching or P2P connections Skype might seem like a reasonable deal, but for a VOIP gateway their service is ridiculously over-priced. If a competitor can offer their own service, but still allow it's users to easily interact with Skype customers then they would have to compete based on merit alone.

If your business model is shot by having your wire protocol well understood, your business model is crap. Based on my admittedly low knowledge of Skype, I don't understand how third party clients can threaten them, since the client is free, not ad-supported, and they charge for access to services, unless they enforce those business policies client-side, which brings us to point two...

If your protocol being understood opens the door to unauthorized access to your premium services and phishing and other secu

I believe the problem they face is that if the client protocol is understood, any monkey can implement that client protocol in a program which dials millions of Skype users per second offering to sell them half-off auto warranties or telling them about that $15,000,000 they need to smuggle out of Zambia, effectively destroying the trust in Skype, potentially resulting in an exodus of customers. Their perspective is not entirely unjustified.

However, they don't appear to be spending much time working on a mitigation technique for when some jerk-off in the middle of nowhere (i.e. Nigeria) manages to achieve the same goal - because no legal threat will work on those fuckers.

Skype is Peer to Peer. It hardly needs to have something installed to allow eavesdropping, all it needs is the feds to put up a Skype client with sufficient bandwidth to pretty much guarantee a Supernode assignment - which is fairly trivial for a government.

That would not help a lot with end-to-end encryption. There are ways to eavesdrop on encrypted voice communication, but a backdoor into the crypto is what you really want. Also, a way to help the supernode selection along is most welcome and reduces effort.

The Civilian Assistance to Law Enforcement Act mandates that all telecommunications service providers install and maintain back doors into their systems for the express purpose of enabling Federal law enforcement to intercept private communications. If you want your phone calls to be "off the record" you have to use VOIP and encrypt your traffic. If a closed source proprietary VOIP provider offers encryption, they are directly obstructing law enforcement agencies in the execution of their lawfully authorized surveillance activities. There is no question that Skype has been requested to provide back doors into their "secure" proprietary protocol - unless of course it has always been trivial snake oil crypto, always a strong probability with closed source commercial products.

Of course, the parent poster already knows all the answers, and we are lucky that he took a moment away from licking the boots of his beloved owners to favor us with words of wisdom.

The Civilian Assistance to Law Enforcement Act mandates that all telecommunications service providers install and maintain back doors into their systems for the express purpose of enabling Federal law enforcement to intercept private communications.

Assuming that a) they will only ever use such backdoors for the right purposes and b) no other entity will be able to use them.

If a closed source proprietary VOIP provider offers encryption, they are directly obstructing law enforcement agencies in the execut

On the other hand, if you "confidential calls" are so confidential that you are worried about NSA, then I think you have more to worry about than simply someone eavesdropping on your conversation.

On the other hand there are plenty of well proven techniques which you can use to ensure that Eve will learn very little. e.g. using a code.Even some which can be used to discover her existance and/or identity.

Check the format (man 5 passwd): If you're going to supply such niceties as usernames rather than UIDs, or group names rather than GIDs, you must read/etc/passwd. For security's sake, the passwords are no longer kept there (at least in GNU/Linux, and I hope in any other modern OS), but in/etc/shadow or/etc/master.passwd (*BSD) which can only be read by root.

Thus, the encrypted passwords, required for brute-force decryption attempts, are not available to every Tom, Dick, and Mallory.

someone else would have been free to create a competitor network and service, and would also have been free to open their protocol, making it popular in its own way, eventually taking over and shutting down the popularity of the original network... rather than the original network having their freedom stripped from them, just so others can cash in in the game

To get into some games you have to BE the big player or you can't get off the ground. Things have changed in some circustances because of court rullings. Either companies were broken up or required to do something which allowed others to get in the game. I think AOL IM was like that.

In the case of telephone communications it was the government who helped break the AT&T strangle hold on that industry. They basically broke the company up and AT&T was required by decree to provide access to their communication infrastructure. This allowed new companies into the market because they didn't have to spend the enormous amount of money it would have taken to build their own infrastructure.

Nice rewriting of history. MCI and Sprint were already successful before AT&T was broken up. The "antitrust" action took a stagnant AT&T, created 7 squabbling RBOCs of varying competence, and effectively destroyed Bell Labs.

Maybe you should take another look at history yourself.
The Bell System divestiture of AT&T, was initiated by the filing in 1974 by the U.S. Department of Justice with an antitrust lawsuit against AT&T. MCI and Sprint were the major corporations driving this action because they could not compete with AT&T in the long distance telecommunications market because the cost of entry was to high for them to realistically compete. Prior to the breakup broadcast networks also relied on AT&T's infrast

Come on, take for example Twitter. Being the first big player in this field, it was easy for them to get "customers".However, their service could be much better when it would be open. Like e-mail is open. For instance, if the protocal was open, no single company would have had insight into all the messages being sent around, and that's a huge plus from a privacy standpoint. Skype is in a similar position.

But I guess, being the first is what counts. It started with plain old "land". And now

However, their service could be much better when it would be open. Like e-mail is open.

You picked a rather lousy example of 'open.' Email is so open that it's a spam center and that makes it significantly less useful than it could be. Twitter probably wouldn't even have come into existence if people could rely on email as being more secure and spam-free.

To an extent, perhaps. In terms of the code comprising the software, their rights exist today solely because of copyright; it is the rights granted to them by the law of copyright which establishes what they have. Indeed, copyright works by establishing a right over a fixed expression, and making that right a property right - a right of personalty. However, unlike the majority of the personalty rights, a property right of copyright is for a temporary (if legislatively extensible) period, and only reserves the performance of certain acts to the holder. Acts which do not fall within these reserved rights are outside the scope of the copyright limitations, although an owner might attempt to increase the scope of restrictions by virtue of contract - although this is only effective in the situation where the person in question agrees to be bound by those additional limitations.

Personalty through copyright, then, is not absolute - it is a restricted, time-limited right. Within the scope of the reserved rights, they are, subject to the below, free to do with it what they wish. If they wish to restrict things more widely than their rights under copyright, they need to establish a basis for those restrictions, with contract being the most likely option. Alternatively, they might look to other forms of intellectual property right, to gain additional coverage - for example, a patent covering certain aspects of functionality - or quasi rights, such as trade secret.

Not only are the ownership rights not absolute, one might also view them as Swiss cheese - full of holes, with the cheese representing the rights reserved to the owner, and the holes acts which can still be undertaken. (One could view carve-outs to reserved rights as simply areas not covered by the reserved rights in the first place, but, that's rather an academic issue here.) Under European law, for example, there is a right to study the operation of the computer program for the purpose of determining the ideas and principles which underlie the program (Art. 5(3), directive 2009/24/EC). Similarly, a licensor of a computer program has a right to reproduce and translate (acts which are otherwise reserved) relevant parts of that computer program, where such actions are indispensable to obtain the information necessary to achieve the interoperability of an independently created computer program with other programs - Art. 6(1), dir. 2009/24/EC.*

Whether there is the equivalent of these rights under US law, I am not sure, although I'm sure someone with greater knowledge of US copyright law could assist here. Similarly, I've not paid much attention to the subject of the piece, in terms of determining which jurisdictions might be applicable...

Outside the scope of copyright law, one might also look into the regulatory framework of communications services, to determine that, whilst a network might be created by someone, it does not mean that their rights are unlimited, nor that they can not be mandated to provide interoperability. Again within Europe, see, for example, Art. 12(1)(e) of directive 2002/19/EC, which provides that, amongst other things, a national regulatory authority may require an operator to grant open access to technical interfaces, protocols or other key technologies that are indispensable for the interoperability of services, or, by virtue of Art. 12(1)(g), to mandate an operator to provide specified services needed to ensure interoperability, thus taking the obligation further than merely provision of interface information.

There's nothing to suggest that a regulator has imposed such obligations on Skype**, nor that it is obligations of this nature at issue here, but it supports the point that, whilst intellectual property might grant some rights, they are not limitless, and, whilst, by definition, the rights are exclusionary, the scope of the exclusionary effect is regulated. Intellectual property exists as a matter of public benef

Put more succintly: copyright is a legal entitlement, not a moral one.

A copyright might not intrinsically assign a moral entitlement... but that doesn't it can't overlap.

If I were to spend a long time working on a book and I let you read it but you OCR'ed it and started printing hundreds of thousands of copies without paying me for the right then I think I would be right in feeling morally wronged at your exploitation of my work.

That may be part of the issue here, but it's rather different to the point which I was making, which was explaining that personalty does not necessarily mean absolute control.

Copyright may indeed be a moral entitlement, merely embodied in statute law - from an historical point of view, it's rather uncertain (at least, under English law, the position prior to the Copyright Act 1709 is not clear, given, primarily, the poor reporting o

Skype 'owns' nothing... They were granted the privilege of exclusivity by a third party that represents their interests while, at the same time, falsely claiming to represent the interests of the general public.

Allow me to introduce you to a magical concept known as utilitarianism: that which produces the most good for the most people is good. Open protocols are utilitarian. Closed protocols are the anti-thesis of utilitarian.

hes free to do with his program as he pleases, but not free to use the skype protocol as he pleases. skype own the protocol and the network that app connects too and its their protocol and network to do with as they wish. if they want to keep it closed, that is their own choice.

hes free to do with his program as he pleases, but not free to use the skype protocol as he pleases. skype own the protocol and the network that app connects too and its their protocol and network to do with as they wish. if they want to keep it closed, that is their own choice.

1. So long as he reverse-engineered Skype's protocol cleanly (i.e. he didn't have access to Skype source code directly, nor was given it by third parties), then he is, in the US at least, free to do with his implementation as he wishes.

In the US, this has historical precedent, going back to Compaq's original "clean room" reverse-engineering of IBM's BIOS for the original IBM PC, which was, for those that don't remember, what made IBM-compatible computers possible in the first place.

2. Skype is, of course, free to alter their protocol, so as to prevent his implementation from working in the future.

3. Skype's "network" isn't theirs: It leverages the Internet, after all, and so there's *no* way that they could possibly claim it to be a discrete network. In order for it to be so, they'd have to implement a completely separate world-spanning network that was physically isolated from the Internet.

Since we all know that such isn't the case now, your point in that regard is completely invalid.

Certainly, they own their servers, but those are also connected to the Internet at large. However, given the fact that they also leverage users' computers in a "P2P way", this reinforces my point that it isn't "their" network.

Yes, they are free to try keep their protocol closed, but in light of this, their best approach in my opinion is to open it: They have sufficient presence on the Internet now that doing so would only benefit them, I think.

They could become a permanent standard by doing so and have a permanent presence/place on the Internet, now and in the future and probably would, if they chose to do so.

You forget that they have been bought by MS. I'd assume that all of their decisions until the actual takeover will be predicated on what they think MS would want (if not based on MS execs outright telling them what they want). Open ain't gonna happen.

of course it will be... and it'll be on widnwos phone as well to enable windows phone users to phone up their mates using windows desktop and vice versa... MS are loving this spat as it enables the protocols to be churned so that Linux Skype users will never have the nice toys that windows desktop and phone users will have... the Linux and Mac clients will forever be behind in the churn of the protocols...

Well I would disagree about #3. It is "Their" network. The assumption I make when I install the Skype software is that I will be interacting in a P2P network with other Skype software users.

As the PR guy points out this allows Skype to better ensure the clients are legitimate users. It's a lot easier to spoof accounts, spam thousands of users etc. when there is no API and only a GUI interface. For instance I've never once received a spam message on Skype. I get at least one a month on other open mess

How do they own the protocol? They clearly have copyright over the implementations of client and server and so forth that they have written, and they may hold certain patents related to the protocol(but, if so, they haven't mentioned that fact, and the protocol's secrecy so far suggests that they didn't go down the "disclosure in exchange for limited exclusivity" path of patents). In what sense is it "property"?

In the sense that they can and it sounds like they will be actively working to break third-party connectivity. When a protocol is unpublished and hence proprietary, that's what an entity gets to do. If it works for them, and doesn't explode in their face. Which we all hope it will.

But howling with fury at the way things stand is not a productive use of time.

Granted I've never used the Linux client, but the Windows client has only been getting worse and worse. It's pretty much the definition of bloat, consuming 100MB RAM currently and not being any more capable than I remember 3 versions ago.

Most of the stuff we are missing on Linux is screensharing and multi-participant video conferencing. Would be nice to have those features, but really, the Windows client is a hog, and it's so poorly written that you can't run it in a Windows virtual machine.

I'm British, I have friends all over the country and no-one has ever used or heard this term being used as you describe it. I think you've either mixed Britain up with a very small regional part of Britain or have the wrong word.

Well, that's why trade secrets are not protected. If you want to protect them, you open them and patent them. Since the people trying to reverse engineering their protocol have no "non-disclosure agreements", I don't see how this may be protected by IP law. Then again IANAL so perhaps they can cover their asses with the Terms of Use and licensing agreements for the software. But AFAIK reverse engineering stuff should be fair.

Maybe properly define reverse engineering in the copyright law so that not everything is allowed? Though using the reverse engineered protocol implantation to access the original service is perfectly legal under most copyright laws.

I agree with the fact that security through obscurity is never a good stance, however I do recall reading an article either in Linux Pro Magazine or a similar print publication several years back that an outside security researcher was given access to Skype's source and his conclusion was that the protocol was indeed secure. In this case, I believe the company just doesn't want others seeing into their product. Myself, I'm not giving any opinion as to what I think about reverse-engineering it, just wanted

Obscurity keeps Joe Derp from breaking into your system on accident. Obscurity does nothing for motivated attackers. Since security is all about time-until-breakage, and obscurity at best adds time on linearly (admittedly, this is hard to measure) compared to the exponential gains provided by properly implemented cryptographic protocols the only reason to rely on obscurity is if you're a water headed moron who thinks it makes a difference because you can't imagine a mindset other than your own (i.e. the m

Apparently you fail reading comprehension if you think my post supports that view.

My ENTIRE point was that obscurity, alone or in addition to "encryption and stuff" ONLY inconveniences legitimate users while providing zero security benefit. To make this as simple as I can, since you seem to have missed it the first time:

Since "intellectual property" is a oxymoron, describing something physically impossible to morons (who else would believe it?), and "IP" is already reserved for "internet protocol", I agree.

Copyright, to take just one form of IP, has a legal history going back at least 300 years. You may not like lawyers but when you dismiss them as "morons," you're operating on the same level as the guy who thought he could get out of paying taxes because the IRS had capitalized his name.

If a spammer or phisher would reverse engineer a protocol, it's very unlikely they would publish about it, since that would help their competition. It is possible that spammers or phishers will use the results of reverse engineering of course, but if your protection against malicious activities consists of a secret protocol then you should consider implementing real security instead of blaming the reverse engineering.

In any case it's clear that Skype doesn't want third party clients to interoperate with their own, so instead of getting into a cat and mouse game it would be more useful to improve existing open source VOIP clients so Skype can be replaced altogether.

instead of getting into a cat and mouse game it would be more useful to improve existing open source VOIP clients so Skype can be replaced altogether.

I find it hard to understand why people use skype at all when there are plenty of good voip providers. Skype has completely random call quality/ you never iknow if a connection will be fine or sound like it in an echo chamber or have a buzz. You can get excellent voip service for $5 to $10/month. Indeed Ooma offers FREE service (but requires you to purchase a $130 appliance and pay the E911). Ooma's quality is excellent their service is responsive and it keeps getting better (HD voice now available f

I use Mac and Linux, my in-laws and some of my contacts use Windows.Give me a client that reliably (well, as reliably as Skype, anyway) works on these platforms (iOS would also be nice, as both I and the missus use that as well) and is simple enough to install and start for my in-laws, my parents, and the others I want to contact.Google chat should work, but is seriously confusing to beginners, and they want a standalone client anyway.

When you can point me to that VOIP client, then I'll consider dumping Skype.Until the, Skype is king.

But it's setup isn't as simple.You still can't select the used port range without manually editing the configuration with gconf-editor, for example.There are some nice efforts to avoid the whole "opening-port" thanks to STUN and TURN technologies.But still there are lot of situation where you end up with the dreaded "Sorry, ekiga couldn't configure your network automatically" window.

Meanwhile, skype, because it uses aggressive techniques coming from th

it would be more useful to improve existing open source VOIP clients so Skype can be replaced altogether.

As you know, for performing a telephone call, you need 2 ends. Try convincing the other end to install your open-source VOIP client of choice!

That's the problem!

IMHO, a much better approach against such lock-in would be to first develop an open-source binary compatibility layer inside web-browsers, like google is doing with native client (NaCl). That way, you could make a phone call by asking the other party to visit a website (assuming you have written your phone client software for that binary compatibility layer of course).

The CL spammers are about as bad, discussing how to scam authorization codes out of regular people now that CL has tightened things up to one account per phone #. (Though some of that tightening is annoying for people trying to do legit business)

Why do I keep getting the same inane message from "Natalia", posted from various temporary accounts? I've blocked every account it's come from; I'm sure many have. Is Skype really too slow to get the hint? Jesus, make the spammers work a bit to change a word here and there! It's shocking to me how little Skype cares about spam and phishing in their network. My point is, you can do all the spam and phishing you want with the native client, because Skype apparently does nothing to stop even the clumsiest of spammers who know how to solve a capcha. So their alleged interest to protect their users was conveniently discovered when the possibility of competition suddenly arose.

The inane Skype message I keep getting from various accounts I keep blocking is one trying to tell me they've detected a security problem on my Windows system - even though I am logged in from Linux. Maybe once a month I get this, almost always in the middle of the night while I am sleeping.

They claim violation of their IP. Is that copyright? probably not. Trademark? Nope. Patent? Hmmm do they have a patent in this area? I don't know, but probably not. That would leave trade secrets, which IIRC are not protected from reverse engineering in any way. IANAL but they really should say what is being violated, not just the nebulous "IP".

Or am I the only one who thinks M$ will use this as an excuse to work their "embrace, extend, extinguish" magic on Skype? This is just a way for the pirates of Redmond to kill the Linux (beta) client - which, incidentally, hasn't seen any progress in the last two years - while keeping their grubby little meat-beaters clean.

I suspect that it depends on where they plan to slot Skype into their list of product offerings.

If it becomes part of some 'enterprise' offering, playing cat-and-mouse would likely not be a sensible strategy. Corporate/institutional customers hate petty version churn of the sort needed to keep constantly breaking 3rd parties and they have a fairly low likelihood of going with 'unofficial' software. They may well keep globbing on new features(as with Office document formats, Sharepoint tie-ins, etc.); but corporate customers are conservative enough that even the perception that 3rd party clients are not feature-complete and 100% compatible usually keeps them well away, and the few exceptions are likely to either be impecunious contrarians or competing titans(eg. IBM) large enough to make an issue of it if you play dirty.

If it becomes a "Live" consumer offering, playing cat-and-mouse is at least an option, since the consumer market has largely learned to suck up their auto-updates when told(and isn't behind a firewall that blocks them, and doesn't need to open a ticket with IT to install them...) It still isn't totally clear what their motivation would be(since they would still control the skype-out gateways, where the money is, and having third parties voluntarily make your network more popular among markets you don't feel like serving doesn't seem like an obviously bad thing(though they might keep the banhammer hovering, just to ensure that people license the rights to embed skype in wifi VOIP phones and whatnot from them, rather than go 3rd party...)

If it becomes a consumer-electronics thing, affiliated with xbox or Windows Phone, it seems to be some sort of ontological obligation to lock it down as hard as possible, just on principle, just because that is how they roll in console-land.

I find it a likely story that someone would open-source Skype for the purposes of sending spam. That's an activity you keep secret and sell to spammers for big bucks. So without even knowing the motive we get this attack on the coder by none less than the VP of Skype's PR company. There should be a good libel suit in here somewhere.

From what I understand Skype uses encryption as well as proprietary protocols to provides its services. No doubt many governments around the world, fearing the possibilities enabled by secure and anonymous point-to-point communication, would be very interested in learning anything they can about how it works and what weaknesses it might have, if any.

This is an excuse to rework the code so the already outdated Linix client is rendered useless on their network. Sorry, but due to a recent security breach and lack of resources we must cease development on Skype for Linix. Double whammy: blame it on open source hackers and also piss off Linux users.

As for Mac, Skype will give the MacBU something to do other than play XBox all day.

Here's the exact quote from TFA: "This unauthorized use of our application for malicious activities like spamming/phishing infringes on Skype's intellectual property. We are taking all necessary steps to prevent/defeat nefarious attempts to subvert Skype's experience. Skype takes its users' safety and security seriously and we work tirelessly to ensure each individual has the best possible experience."

Even the PR drone is saying "unauthorized us for malicious activities"... so reverse engineering the protoc

And you don't want to have to compete on SERVICE, only features. Much harder to compete if the protocol is open, and consumers have actual CHOICE. In the end openness could make for a better product, but only if Skype is up to the task.

Riiiight, and if the protocol was completely open like SIP we wouldn't have the problems with Robodialers like SIP because? The problem with mass communication protocols is there are plenty of assholes in legal nowherelands that can and WILL use anything and everything they can get their slimy hands on to hack, harass, spam, and generally act like giant fucking douchebags without regards to anyone but themselves.

One should never forget the universal truth that is Gabriel's Greater Internet Theory [penny-arcade.com] and then add in the ones that would be acting like douchebags because they could make money doing so ON TOP of the ones just being dicks for the sheer fun of being a fucktwit? It would be a damned mess and you KNOW this. The reason why everyone uses Skype is that it "just works" without having to worry about your video chat window suddenly popping up with someone's junk in it or getting called every two seconds from some automated voice trying to sell you herbal Viagra. While I think FOSS is fine in some places, in others it would be a BAD idea, and I'd say this here is one of the latter.